IAAC Directors' Guides



















Some time back I bumped into a handy management guide on information risk - a double-sided leaflet from the Information Assurance Advisory Council. In 2015, it inspired a security awareness briefing explaining that colourful process diagram, which has now morphed into a further 5-page briefing on Information Risk Management, soon to join the SecAware ISMS templates.

Googling for the IAAC guide led me to a cluster of FREE Directors' Guides from the IAAC offering useful, relevant guidance for senior management:
"Information Risk encompasses all the challenges that result from an organisation’s need to control and protect its information."
"Directors need to put in place the arrangements and processes by which responsibilities are distributed and significant information risk decisions are to be made and reviewed."
  • Information Risk Management Approach - encourages directors to support the remainder of the organisation in fulfilling their responsibilities for information risk, ensuring strategic alignment between risk management and business objectives.
  • Realising the Benefits - outlines the business benefits of good information risk management in terms of: efficiency; agility; manageability; exploitation of new opportunities (more confidently expanding into new areas of business); customer retention; brand strengthening; cost-efficient compliance; and dealing efficiently with incidents.
"Good information risk mitigation supports organisational strategies and tactical agility rather than limiting them."
  • Information risk mitigation - a double-sided leaflet (actually about information risk management - not just mitigation) mentions this often-overlooked aspect:
"Information risk mitigation processes normally deal with each risk situation in isolation.The regular review of risks should include a reckoning to ensure the aggregate risk position does not grow out of proportion to expectations or to the organisation’s risk tolerance."
  • Regulation and Legislation - outlines directors' compliance responsibilities relating to information risk and security, privacy etc. This guide mostly discusses the need to avoid penalties and liabilities (including directors' personal liabilities as officers), touching only briefly on the idea of a 'principles based' approach - in other words, going beyond the mandatory minimum. I would have preferred it to emphasise that proactive compliance can be good for business e.g. strategic planning to become compliant with new laws and regs by the most efficient route, taking advantage of corporate change initiatives and projects.
  • Cyber Security and Information Assurance:Scenarios for Directors - uses five business situations as case studies to brief directors on the kinds of issues they might get involved and be expected to deal with. We find case studies very useful to scratch beneath the surface of complex topics, engaging, informing and motivating people to take notice.
"It is not sufficient for the leaders of the organisation just to acknowledge in words that information is valuable and that risks must be mitigated. They must portray it through their decisions and actions. Staff develop their understanding of the organisation’s culture more by what they see than by what they hear." 

Hear hear!  The advice is sound, although incomplete - for example I didn't notice any mention of resilience and business continuity (although that is a concern of IAAC, elsewhere), nor of 'offensive security' (actively exploiting third parties' information security vulnerabilities for the organisation's business advantage - obviously raising ethical concerns).

Sound advice like this is valuable both as it stands, and as a basis to develop awareness materials, strategies, policies and procedures. 

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more